Security underpins everything ticketable.events does — people trust us with their accounts, their attendees and their event revenue. This page describes the measures we take and how to report a concern.
Payments
Card payments are processed by Stripe, a payment provider certified to the PCI-DSS standard. Card numbers and security codes go directly to Stripe and are never seen or stored by ticketable.events. We keep only limited payment metadata, such as the card brand and last four digits, to display on receipts. Organiser payouts run through Stripe’s direct-charge model, so revenue reaches organisers without us holding their funds.
Encryption
All traffic to and from the service is encrypted in transit using HTTPS/TLS. Data stored by our infrastructure providers is protected by their at-rest encryption.
Accounts and access
- Passwords are stored only as salted hashes by our authentication provider — never in plain text.
- You can sign in with email and password, or with Google or Apple single sign-on.
- Organiser teams use role-based access control, so each team member only has the permissions their role allows.
- The system is multi-tenant with strict isolation, so one organisation cannot access another’s data.
Infrastructure
We build on established cloud providers (including Amazon Web Services and Vercel) that maintain their own independent security certifications and physical safeguards. Core application data is hosted in the EU (Ireland). We apply least-privilege access controls to our backend systems and keep credentials and secrets out of client-side code.
Tickets and check-in
Each ticket carries a unique code, and check-in is designed so a ticket can only be admitted once, helping prevent duplicate or fraudulent entry. Door check-in works even when connectivity drops and reconciles when it returns.
Reporting a vulnerability
We welcome reports from security researchers and users. If you believe you’ve found a vulnerability, please email security@ticketable.events with enough detail to reproduce it. We ask that you:
- Give us a reasonable opportunity to investigate and fix the issue before disclosing it publicly.
- Avoid accessing, modifying or deleting data that isn’t yours, and avoid privacy violations or service disruption.
- Don’t run automated testing that degrades the service for others.
Acting in good faith under these guidelines, we won’t pursue action against you for your research.
A note on shared responsibility
Organisers help keep accounts safe by using strong, unique passwords, managing team access carefully, and keeping their connected payment account secure. No online service can be completely secure, but we work continuously to protect your data and to respond quickly when issues arise.
Related
See our Privacy Policy for what data we hold and your rights, and our Cookies Policy for what we set in your browser.